diff --git a/.env.example b/.env.example
index 9a91fed..1fdbfb0 100644
--- a/.env.example
+++ b/.env.example
@@ -5,10 +5,6 @@ POSTGRES_DB=budget
 POSTGRES_USER=budget
 POSTGRES_PASSWORD=changeme
 
-# Auth
-AUTH__AUTHORITY=https://auth.stwaddle.com
-AUTH__AUDIENCE=budget_api
-
 # Client (baked into Vite build)
 VITE_AUTH_AUTHORITY=https://auth.stwaddle.com
 VITE_AUTH_CLIENT_ID=budget-client
diff --git a/src/Budget.Api/Program.cs b/src/Budget.Api/Program.cs
index 7dd64be..61327de 100644
--- a/src/Budget.Api/Program.cs
+++ b/src/Budget.Api/Program.cs
@@ -17,12 +17,19 @@ var connStr = builder.Configuration.GetConnectionString("DefaultConnection")
 
 builder.Services.AddDbContext<AppDbContext>(opt => opt.UseNpgsql(connStr));
 
+var oidc = builder.Configuration.GetSection("Oidc");
 builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
     .AddJwtBearer(options =>
     {
-        options.Authority = builder.Configuration["AUTH__AUTHORITY"];
-        options.Audience = builder.Configuration["AUTH__AUDIENCE"];
+        options.Authority = oidc["Authority"];
+        options.Audience = oidc["Audience"];
         options.MapInboundClaims = false;
+        var metadataAddress = oidc["MetadataAddress"];
+        if (!string.IsNullOrEmpty(metadataAddress))
+        {
+            options.MetadataAddress = metadataAddress;
+            options.RequireHttpsMetadata = false;
+        }
         options.TokenValidationParameters = new TokenValidationParameters
         {
             ValidateIssuer = true,
diff --git a/src/Budget.Api/appsettings.Development.json b/src/Budget.Api/appsettings.Development.json
index 0c208ae..4524d6f 100644
--- a/src/Budget.Api/appsettings.Development.json
+++ b/src/Budget.Api/appsettings.Development.json
@@ -4,5 +4,8 @@
       "Default": "Information",
       "Microsoft.AspNetCore": "Warning"
     }
+  },
+  "Oidc": {
+    "MetadataAddress": ""
   }
 }
diff --git a/src/Budget.Api/appsettings.json b/src/Budget.Api/appsettings.json
index 64f2d8a..2932264 100644
--- a/src/Budget.Api/appsettings.json
+++ b/src/Budget.Api/appsettings.json
@@ -8,5 +8,10 @@
   "AllowedHosts": "*",
   "ConnectionStrings": {
     "DefaultConnection": ""
+  },
+  "Oidc": {
+    "Authority": "https://auth.stwaddle.com",
+    "MetadataAddress": "http://auth:8080/.well-known/openid-configuration",
+    "Audience": "budget_api"
   }
 }